CVE-2024-31214

Traccar is an open source GPS tracking system. Traccar versions 5.1 through 5.12 allow arbitrary files to be uploaded through the device image upload API. Attackers have full control over the file contents, full control over the directory where the file is stored, full control over the file extension, and partial control over the file name. While it's not for an attacker to overwrite an existing file, an attacker can create new files with certain names and attacker-controlled extensions anywhere on the file system. This can potentially lead to remote code execution, XSS, DOS, etc. The default install of Traccar makes this vulnerability more severe. Self-registration is enabled by default, allowing anyone to create an account to exploit this vulnerability. Traccar also runs by default with root/system privileges, allowing files to be placed anywhere on the file system. Version 6.0 contains a fix for the issue. One may also turn off self-registration by default, as that would make most vulnerabilities in the application much harder to exploit by default and reduce the severity considerably.

CVSS v3 9.6 CRITICAL

9.6^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/traccar/traccar/blob/master/src/main/java/org/traccar/model/Device.java#L56	Product
https://github.com/traccar/traccar/blob/v5.12/src/main/java/org/traccar/api/resource/DeviceResource.java#L191	Product
https://github.com/traccar/traccar/commit/3fbdcd81566bc72e319ec05c77cf8a4120b87b8f	Patch
https://github.com/traccar/traccar/security/advisories/GHSA-3gxq-f2qj-c8v9	Exploit Vendor Advisory
https://github.com/traccar/traccar/blob/master/src/main/java/org/traccar/model/Device.java#L56	Product
https://github.com/traccar/traccar/blob/v5.12/src/main/java/org/traccar/api/resource/DeviceResource.java#L191	Product
https://github.com/traccar/traccar/commit/3fbdcd81566bc72e319ec05c77cf8a4120b87b8f	Patch
https://github.com/traccar/traccar/security/advisories/GHSA-3gxq-f2qj-c8v9	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:*

History

09 Jan 2025, 16:14

Type	Values Removed	Values Added
First Time		Traccar traccar Traccar
CPE		cpe:2.3:a:traccar:traccar::::::::
References	~~() https://github.com/traccar/traccar/blob/master/src/main/java/org/traccar/model/Device.java#L56 -~~	() https://github.com/traccar/traccar/blob/master/src/main/java/org/traccar/model/Device.java#L56 - Product
References	~~() https://github.com/traccar/traccar/blob/v5.12/src/main/java/org/traccar/api/resource/DeviceResource.java#L191 -~~	() https://github.com/traccar/traccar/blob/v5.12/src/main/java/org/traccar/api/resource/DeviceResource.java#L191 - Product
References	~~() https://github.com/traccar/traccar/commit/3fbdcd81566bc72e319ec05c77cf8a4120b87b8f -~~	() https://github.com/traccar/traccar/commit/3fbdcd81566bc72e319ec05c77cf8a4120b87b8f - Patch
References	~~() https://github.com/traccar/traccar/security/advisories/GHSA-3gxq-f2qj-c8v9 -~~	() https://github.com/traccar/traccar/security/advisories/GHSA-3gxq-f2qj-c8v9 - Exploit, Vendor Advisory

Information

Published : 2024-04-10 18:15

Updated : 2025-01-09 16:14

NVD link : CVE-2024-31214

Mitre link : CVE-2024-31214

CVE.ORG link : CVE-2024-31214

JSON object : View

Products Affected

traccar

traccar

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

9.6 /10